Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatlowtest

Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE

Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service. During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives). Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
CybexCreated Tue Aug 16Updated Mon Nov 0352a85084-6989-40c3-8f32-091e12e176922022
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 1511
        Provider_Name: 'Microsoft-Windows-User Profiles Service'
    condition: selection
False Positives

Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx

References
1
Resolving title…
packetstormsecurity.com
MITRE ATT&CK

Other

detection.emerging-threatscve.2022-21919cve.2021-34484
Rule Metadata
Rule ID
52a85084-6989-40c3-8f32-091e12e17692
Status
test
Level
low
Type
Emerging Threat
Created
Tue Aug 16
Modified
Mon Nov 03
Author
Cybex
Path
rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml
Raw Tags
attack.executiondetection.emerging-threatscve.2022-21919cve.2021-34484
View on GitHub